Looking for an external Data Protection Officer?DATUREX GmbH Dresden
DATUREXData Protection Laws
GDPR — Table of Contents

AI-generated summary

This provision protects data subjects from decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect them. Exceptions apply for contractual necessity, legal authorisation, or explicit consent, but in those cases the controller must implement suitable safeguards, including the right to obtain human intervention.

Art. 22 GDPR

Automated individual decision-making, including profiling

(1.)The data subject shall have the right not to be subject to a decision based solely on automated , including , which produces legal effects concerning him or her or similarly significantly affects him or her.
(2.)Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data ; (b) is authorised by Union or Member State law to which the is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit .
(3.)In the cases referred to in points (a) and (c) of paragraph 2, the data shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the , to express his or her point of view and to contest the decision.
(4.)Decisions referred to in paragraph 2 shall not be based on special categories of referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Source:
EUR-Lex CELEX 02016R0679-20160504
Citation:
OJ L 119, 04.05.2016, p. 1; corrected by OJ L 127, 23.05.2018, p. 2
As of:
2016-05-04
Retrieved:
2026-02-25